Skip to main content
CVE-2025-27520 CRITICAL POC PATCH THREAT Act Now

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deserialization. The serving endpoint accepts pickled Python objects that are deserialized without validation, allowing attackers to execute arbitrary code on any BentoML inference server.

Python RCE Deserialization Bentoml
NVD GitHub
CVSS 3.1
9.8
EPSS
87.3%
Threat
6.1
CVE-2025-28146 CRITICAL POC THREAT Emergency

Edimax AC1200 Wave 2 Dual-Band Gigabit Router BR-6478AC V3 1.0.15 was discovered to contain a command injection vulnerability via fota_url in /boafrm/formLtefotaUpgradeQuectel. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 19.4%.

RCE Command Injection Code Injection Br 6478ac V3 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
19.4%
CVE-2024-11235 CRITICAL POC PATCH Act Now

In PHP versions 8.3.* before 8.3.19 and 8.4.* before 8.4.5, a code sequence involving __set handler or ??= operator and exceptions can lead to a use-after-free vulnerability. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Use After Free Memory Corruption PHP RCE Red Hat +1
NVD GitHub
CVSS 4.0
9.2
EPSS
1.5%
CVE-2024-13645 CRITICAL Act Now

The tagDiv Composer plugin for WordPress is vulnerable to PHP Object Instantiation in all versions up to, and including, 5.3 via module parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Information Disclosure RCE Code Injection WordPress
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2025-2798 CRITICAL Act Now

The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation Woffice PHP
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2025-2244 CRITICAL Act Now

A vulnerability in the sendMailFromRemoteSource method in Emails.php as used in Bitdefender GravityZone Console unsafely uses php unserialize() on user-supplied input without validation. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Deserialization Gravityzone
NVD
CVSS 4.0
9.5
EPSS
1.9%
CVE-2024-51800 CRITICAL Act Now

Incorrect Privilege Assignment vulnerability in Favethemes Homey allows Privilege Escalation.4.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-31403 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shiptrack Booking Calendar and Notification allows Blind SQL Injection.0.3. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-32118 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in NiteoThemes CMP - Coming Soon & Maintenance allows Using Malicious Files.1.13. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2025-31480 CRITICAL Act Now

aiven-extras is a PostgreSQL extension. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PostgreSQL Privilege Escalation
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy